On Saturday 20 June 2009 21:00:46 Ciaran McCreesh wrote:
On Sat, 20 Jun 2009 20:40:17 +0200
Patrick Lauer patr...@gentoo.org wrote:
Have you thought about the security implications of this?
Yes.
How much do you trust the people running the overlays listed in
layman?
On Sun, 21 Jun 2009 10:43:27 +0200
Patrick Lauer patr...@gentoo.org wrote:
How much do you trust the people running the overlays listed in
layman?
VirtualBox.
And how do you use VirtualBox to prevent one malicious person from
running arbitrary code on the system of anyone using
The metadata cache is inert in the sense that it isn't executable
code (and if anyone tries to execute it ... You're doing it wrong
comes to mind), so adding it does not pessimize the situation.
But generating that cache means running code, and one of the things
that code could do is
On Sun, 21 Jun 2009 17:00:01 +0200
Patrick Lauer patr...@gentoo.org wrote:
But generating that cache means running code, and one of the things
that code could do is modify every overlay distributed by the box in
question such that anyone using any of those overlays will run
arbitrary code
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Patrick Lauer wrote:
The metadata cache is inert in the sense that it isn't executable
code (and if anyone tries to execute it ... You're doing it wrong
comes to mind), so adding it does not pessimize the situation.
But generating that cache means
Just a FYI
On 20-06-2009 18:46:33 +0200, Patrick Lauer wrote:
If I don't get distracted I might set up a proof of concept public
rsync server providing the main repo plus all overlays I can throw in,
but it'd have a low initial update frequency (6h to daily).
Note that the Prefix rsync tree
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Patrick Lauer wrote:
The only issue I have found with this idea relates to eclasses - overriding
in-tree eclasses to be precise. The problem there is that it invalidates in-
tree metadata and potentially affects other overlays too. So that's a bit
On Sat, 20 Jun 2009 18:46:33 +0200
Patrick Lauer patr...@gentoo.org wrote:
Generating the metadata cache isn't that expensive - it took about 45
minutes to initially check out almost everything layman provided and
then about an hour for the first run. Consecutive runs should be much
faster and
On Saturday 20 June 2009 20:22:22 Ciaran McCreesh wrote:
On Sat, 20 Jun 2009 18:46:33 +0200
Patrick Lauer patr...@gentoo.org wrote:
Generating the metadata cache isn't that expensive - it took about 45
minutes to initially check out almost everything layman provided and
then about an hour
On Sat, 20 Jun 2009 20:40:17 +0200
Patrick Lauer patr...@gentoo.org wrote:
Have you thought about the security implications of this?
Yes.
How much do you trust the people running the overlays listed in
layman?
VirtualBox.
And how do you use VirtualBox to prevent one malicious person
10 matches
Mail list logo